]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: EAP-AKA using external USIM processing for UMTS auth
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import time
10 import subprocess
11 import logging
12 logger = logging.getLogger()
13 import os.path
14
15 import hwsim_utils
16 import hostapd
17 from test_ap_psk import check_mib
18
19 def read_pem(fname):
20 with open(fname, "r") as f:
21 lines = f.readlines()
22 copy = False
23 cert = ""
24 for l in lines:
25 if "-----END" in l:
26 break
27 if copy:
28 cert = cert + l
29 if "-----BEGIN" in l:
30 copy = True
31 return base64.b64decode(cert)
32
33 def eap_connect(dev, ap, method, identity,
34 sha256=False, expect_failure=False, local_error_report=False,
35 **kwargs):
36 hapd = hostapd.Hostapd(ap['ifname'])
37 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
38 eap=method, identity=identity,
39 wait_connect=False, scan_freq="2412", ieee80211w="1",
40 **kwargs)
41 eap_check_auth(dev, method, True, sha256=sha256,
42 expect_failure=expect_failure,
43 local_error_report=local_error_report)
44 if expect_failure:
45 return id
46 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
47 if ev is None:
48 raise Exception("No connection event received from hostapd")
49 return id
50
51 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
52 expect_failure=False, local_error_report=False):
53 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
54 if ev is None:
55 raise Exception("Association and EAP start timed out")
56 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
57 if ev is None:
58 raise Exception("EAP method selection timed out")
59 if method not in ev:
60 raise Exception("Unexpected EAP method")
61 if expect_failure:
62 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
63 if ev is None:
64 raise Exception("EAP failure timed out")
65 ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
66 if ev is None:
67 raise Exception("Disconnection timed out")
68 if not local_error_report:
69 if "reason=23" not in ev:
70 raise Exception("Proper reason code for disconnection not reported")
71 return
72 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
73 if ev is None:
74 raise Exception("EAP success timed out")
75
76 if initial:
77 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
78 else:
79 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
80 if ev is None:
81 raise Exception("Association with the AP timed out")
82 status = dev.get_status()
83 if status["wpa_state"] != "COMPLETED":
84 raise Exception("Connection not completed")
85
86 if status["suppPortStatus"] != "Authorized":
87 raise Exception("Port not authorized")
88 if method not in status["selectedMethod"]:
89 raise Exception("Incorrect EAP method status")
90 if sha256:
91 e = "WPA2-EAP-SHA256"
92 elif rsn:
93 e = "WPA2/IEEE 802.1X/EAP"
94 else:
95 e = "WPA/IEEE 802.1X/EAP"
96 if status["key_mgmt"] != e:
97 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
98
99 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
100 dev.request("REAUTHENTICATE")
101 eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
102 expect_failure=expect_failure)
103
104 def test_ap_wpa2_eap_sim(dev, apdev):
105 """WPA2-Enterprise connection using EAP-SIM"""
106 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
107 logger.info("No hlr_auc_gw available");
108 return "skip"
109 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
110 hostapd.add_ap(apdev[0]['ifname'], params)
111 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
112 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
113 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
114 eap_reauth(dev[0], "SIM")
115
116 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
117 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
118 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
119 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
120 expect_failure=True)
121
122 logger.info("Negative test with incorrect key")
123 dev[0].request("REMOVE_NETWORK all")
124 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
125 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
126 expect_failure=True)
127
128 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
129 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
130 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
131 logger.info("No hlr_auc_gw available");
132 return "skip"
133 try:
134 import sqlite3
135 except ImportError:
136 return "skip"
137 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
139 params['auth_server_port'] = "1814"
140 hostapd.add_ap(apdev[0]['ifname'], params)
141 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
142 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
143
144 logger.info("SIM fast re-authentication")
145 eap_reauth(dev[0], "SIM")
146
147 logger.info("SIM full auth with pseudonym")
148 with con:
149 cur = con.cursor()
150 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
151 eap_reauth(dev[0], "SIM")
152
153 logger.info("SIM full auth with permanent identity")
154 with con:
155 cur = con.cursor()
156 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
157 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
158 eap_reauth(dev[0], "SIM")
159
160 logger.info("SIM reauth with mismatching MK")
161 with con:
162 cur = con.cursor()
163 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
164 eap_reauth(dev[0], "SIM", expect_failure=True)
165 dev[0].request("REMOVE_NETWORK all")
166
167 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
168 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
169 with con:
170 cur = con.cursor()
171 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
172 eap_reauth(dev[0], "SIM")
173 with con:
174 cur = con.cursor()
175 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
176 logger.info("SIM reauth with mismatching counter")
177 eap_reauth(dev[0], "SIM")
178 dev[0].request("REMOVE_NETWORK all")
179
180 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
181 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
182 with con:
183 cur = con.cursor()
184 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
185 logger.info("SIM reauth with max reauth count reached")
186 eap_reauth(dev[0], "SIM")
187
188 def test_ap_wpa2_eap_sim_config(dev, apdev):
189 """EAP-SIM configuration options"""
190 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
191 hostapd.add_ap(apdev[0]['ifname'], params)
192 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
193 identity="1232010000000000",
194 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
195 phase1="sim_min_num_chal=1",
196 wait_connect=False, scan_freq="2412")
197 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
198 if ev is None:
199 raise Exception("No EAP error message seen")
200 dev[0].request("REMOVE_NETWORK all")
201
202 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
203 identity="1232010000000000",
204 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
205 phase1="sim_min_num_chal=4",
206 wait_connect=False, scan_freq="2412")
207 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
208 if ev is None:
209 raise Exception("No EAP error message seen (2)")
210 dev[0].request("REMOVE_NETWORK all")
211
212 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
213 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
214 phase1="sim_min_num_chal=2")
215 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
216 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
217 anonymous_identity="345678")
218
219 def test_ap_wpa2_eap_aka(dev, apdev):
220 """WPA2-Enterprise connection using EAP-AKA"""
221 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
222 logger.info("No hlr_auc_gw available");
223 return "skip"
224 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
225 hostapd.add_ap(apdev[0]['ifname'], params)
226 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
227 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
228 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
229 eap_reauth(dev[0], "AKA")
230
231 logger.info("Negative test with incorrect key")
232 dev[0].request("REMOVE_NETWORK all")
233 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
234 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
235 expect_failure=True)
236
237 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
238 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
239 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
240 logger.info("No hlr_auc_gw available");
241 return "skip"
242 try:
243 import sqlite3
244 except ImportError:
245 return "skip"
246 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
247 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
248 params['auth_server_port'] = "1814"
249 hostapd.add_ap(apdev[0]['ifname'], params)
250 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
251 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
252
253 logger.info("AKA fast re-authentication")
254 eap_reauth(dev[0], "AKA")
255
256 logger.info("AKA full auth with pseudonym")
257 with con:
258 cur = con.cursor()
259 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
260 eap_reauth(dev[0], "AKA")
261
262 logger.info("AKA full auth with permanent identity")
263 with con:
264 cur = con.cursor()
265 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
266 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
267 eap_reauth(dev[0], "AKA")
268
269 logger.info("AKA reauth with mismatching MK")
270 with con:
271 cur = con.cursor()
272 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
273 eap_reauth(dev[0], "AKA", expect_failure=True)
274 dev[0].request("REMOVE_NETWORK all")
275
276 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
277 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
278 with con:
279 cur = con.cursor()
280 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
281 eap_reauth(dev[0], "AKA")
282 with con:
283 cur = con.cursor()
284 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
285 logger.info("AKA reauth with mismatching counter")
286 eap_reauth(dev[0], "AKA")
287 dev[0].request("REMOVE_NETWORK all")
288
289 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
290 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
291 with con:
292 cur = con.cursor()
293 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
294 logger.info("AKA reauth with max reauth count reached")
295 eap_reauth(dev[0], "AKA")
296
297 def test_ap_wpa2_eap_aka_config(dev, apdev):
298 """EAP-AKA configuration options"""
299 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
300 hostapd.add_ap(apdev[0]['ifname'], params)
301 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
302 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
303 anonymous_identity="2345678")
304
305 def test_ap_wpa2_eap_aka_ext(dev, apdev):
306 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
307 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
308 logger.info("No hlr_auc_gw available");
309 return "skip"
310 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
311 hostapd.add_ap(apdev[0]['ifname'], params)
312 dev[0].request("SET external_sim 1")
313 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
314 identity="0232010000000000",
315 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
316 wait_connect=False, scan_freq="2412")
317 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
318 if ev is None:
319 raise Exception("Network connected timed out")
320
321 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
322 if ev is None:
323 raise Exception("Wait for external SIM processing request timed out")
324 p = ev.split(':', 2)
325 if p[1] != "UMTS-AUTH":
326 raise Exception("Unexpected CTRL-REQ-SIM type")
327 rid = p[0].split('-')[3]
328
329 # IK:CK:RES
330 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
331 # This will fail during processing, but the ctrl_iface command succeeds
332 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
334 if ev is None:
335 raise Exception("EAP failure not reported")
336 dev[0].request("DISCONNECT")
337
338 dev[0].request("REASSOCIATE")
339 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
340 if ev is None:
341 raise Exception("Wait for external SIM processing request timed out")
342 p = ev.split(':', 2)
343 if p[1] != "UMTS-AUTH":
344 raise Exception("Unexpected CTRL-REQ-SIM type")
345 rid = p[0].split('-')[3]
346 # This will fail during UMTS auth validation
347 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp):
348 raise Exception("CTRL-RSP-SIM failed")
349 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
350 if ev is None:
351 raise Exception("EAP failure not reported")
352
353 def test_ap_wpa2_eap_aka_prime(dev, apdev):
354 """WPA2-Enterprise connection using EAP-AKA'"""
355 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
356 logger.info("No hlr_auc_gw available");
357 return "skip"
358 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
359 hostapd.add_ap(apdev[0]['ifname'], params)
360 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
361 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
362 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
363 eap_reauth(dev[0], "AKA'")
364
365 logger.info("Negative test with incorrect key")
366 dev[0].request("REMOVE_NETWORK all")
367 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
368 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
369 expect_failure=True)
370
371 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
372 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
373 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
374 logger.info("No hlr_auc_gw available");
375 return "skip"
376 try:
377 import sqlite3
378 except ImportError:
379 return "skip"
380 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
381 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
382 params['auth_server_port'] = "1814"
383 hostapd.add_ap(apdev[0]['ifname'], params)
384 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
385 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
386
387 logger.info("AKA' fast re-authentication")
388 eap_reauth(dev[0], "AKA'")
389
390 logger.info("AKA' full auth with pseudonym")
391 with con:
392 cur = con.cursor()
393 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
394 eap_reauth(dev[0], "AKA'")
395
396 logger.info("AKA' full auth with permanent identity")
397 with con:
398 cur = con.cursor()
399 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
400 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
401 eap_reauth(dev[0], "AKA'")
402
403 logger.info("AKA' reauth with mismatching k_aut")
404 with con:
405 cur = con.cursor()
406 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
407 eap_reauth(dev[0], "AKA'", expect_failure=True)
408 dev[0].request("REMOVE_NETWORK all")
409
410 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
411 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
412 with con:
413 cur = con.cursor()
414 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
415 eap_reauth(dev[0], "AKA'")
416 with con:
417 cur = con.cursor()
418 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
419 logger.info("AKA' reauth with mismatching counter")
420 eap_reauth(dev[0], "AKA'")
421 dev[0].request("REMOVE_NETWORK all")
422
423 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
424 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
425 with con:
426 cur = con.cursor()
427 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
428 logger.info("AKA' reauth with max reauth count reached")
429 eap_reauth(dev[0], "AKA'")
430
431 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
432 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
433 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
434 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
435 key_mgmt = hapd.get_config()['key_mgmt']
436 if key_mgmt.split(' ')[0] != "WPA-EAP":
437 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
438 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
439 anonymous_identity="ttls", password="password",
440 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
441 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
442 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
443 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
444 eap_reauth(dev[0], "TTLS")
445 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
446 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
447
448 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
449 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
450 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
451 hostapd.add_ap(apdev[0]['ifname'], params)
452 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
453 anonymous_identity="ttls", password="password",
454 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
455 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
456 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
457 eap_reauth(dev[0], "TTLS")
458
459 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
460 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
461 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
462 hostapd.add_ap(apdev[0]['ifname'], params)
463 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
464 anonymous_identity="ttls", password="password",
465 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
466 domain_suffix_match="server.w1.fi")
467 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
468 eap_reauth(dev[0], "TTLS")
469 dev[0].request("REMOVE_NETWORK all")
470 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
471 anonymous_identity="ttls", password="password",
472 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
473 fragment_size="200")
474
475 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
476 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
477 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
478 hostapd.add_ap(apdev[0]['ifname'], params)
479 hapd = hostapd.Hostapd(apdev[0]['ifname'])
480 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
481 anonymous_identity="ttls", password="password",
482 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
483 domain_suffix_match="w1.fi")
484 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
485 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
486 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
487 eap_reauth(dev[0], "TTLS")
488 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
489 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
490 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
491 raise Exception("dot1xAuthEapolFramesRx did not increase")
492 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
493 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
494 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
495 raise Exception("backendAuthSuccesses did not increase")
496
497 logger.info("Password as hash value")
498 dev[0].request("REMOVE_NETWORK all")
499 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
500 anonymous_identity="ttls",
501 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
502 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
503
504 logger.info("Negative test with incorrect password")
505 dev[0].request("REMOVE_NETWORK all")
506 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
507 anonymous_identity="ttls", password="password1",
508 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
509 expect_failure=True)
510
511 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
512 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
513 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
514 hostapd.add_ap(apdev[0]['ifname'], params)
515 hapd = hostapd.Hostapd(apdev[0]['ifname'])
516 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
517 anonymous_identity="ttls", password="secret-åäö-€-password",
518 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
519 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
520 anonymous_identity="ttls",
521 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
522 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
523
524 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
525 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
526 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
527 hostapd.add_ap(apdev[0]['ifname'], params)
528 eap_connect(dev[0], apdev[0], "TTLS", "user",
529 anonymous_identity="ttls", password="password",
530 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
531 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
532 eap_reauth(dev[0], "TTLS")
533
534 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
535 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
536 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
537 hostapd.add_ap(apdev[0]['ifname'], params)
538 eap_connect(dev[0], apdev[0], "TTLS", "user",
539 anonymous_identity="ttls", password="password",
540 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
541 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
542 eap_reauth(dev[0], "TTLS")
543
544 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
545 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
546 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
547 hostapd.add_ap(apdev[0]['ifname'], params)
548 eap_connect(dev[0], apdev[0], "TTLS", "user",
549 anonymous_identity="ttls", password="password",
550 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
551 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
552 eap_reauth(dev[0], "TTLS")
553
554 logger.info("Negative test with incorrect password")
555 dev[0].request("REMOVE_NETWORK all")
556 eap_connect(dev[0], apdev[0], "TTLS", "user",
557 anonymous_identity="ttls", password="password1",
558 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
559 expect_failure=True)
560
561 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
562 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
563 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
564 hostapd.add_ap(apdev[0]['ifname'], params)
565 eap_connect(dev[0], apdev[0], "PEAP", "user",
566 anonymous_identity="peap", password="password",
567 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
568 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
569 eap_reauth(dev[0], "PEAP")
570 dev[0].request("REMOVE_NETWORK all")
571 eap_connect(dev[0], apdev[0], "PEAP", "user",
572 anonymous_identity="peap", password="password",
573 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
574 fragment_size="200")
575
576 logger.info("Password as hash value")
577 dev[0].request("REMOVE_NETWORK all")
578 eap_connect(dev[0], apdev[0], "PEAP", "user",
579 anonymous_identity="peap",
580 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
581 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
582
583 logger.info("Negative test with incorrect password")
584 dev[0].request("REMOVE_NETWORK all")
585 eap_connect(dev[0], apdev[0], "PEAP", "user",
586 anonymous_identity="peap", password="password1",
587 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
588 expect_failure=True)
589
590 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
591 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
592 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
593 hostapd.add_ap(apdev[0]['ifname'], params)
594 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
595 ca_cert="auth_serv/ca.pem",
596 phase1="peapver=0 crypto_binding=2",
597 phase2="auth=MSCHAPV2")
598 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
599 eap_reauth(dev[0], "PEAP")
600
601 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
602 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
603 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
604 hostapd.add_ap(apdev[0]['ifname'], params)
605 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
606 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
607 ca_cert2="auth_serv/ca.pem",
608 client_cert2="auth_serv/user.pem",
609 private_key2="auth_serv/user.key")
610 eap_reauth(dev[0], "PEAP")
611
612 def test_ap_wpa2_eap_tls(dev, apdev):
613 """WPA2-Enterprise connection using EAP-TLS"""
614 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
615 hostapd.add_ap(apdev[0]['ifname'], params)
616 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
617 client_cert="auth_serv/user.pem",
618 private_key="auth_serv/user.key")
619 eap_reauth(dev[0], "TLS")
620
621 def test_ap_wpa2_eap_tls_blob(dev, apdev):
622 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
623 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
624 hostapd.add_ap(apdev[0]['ifname'], params)
625 cert = read_pem("auth_serv/ca.pem")
626 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
627 raise Exception("Could not set cacert blob")
628 cert = read_pem("auth_serv/user.pem")
629 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
630 raise Exception("Could not set usercert blob")
631 key = read_pem("auth_serv/user.key")
632 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
633 raise Exception("Could not set cacert blob")
634 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
635 client_cert="blob://usercert",
636 private_key="blob://userkey")
637
638 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
639 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
640 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
641 hostapd.add_ap(apdev[0]['ifname'], params)
642 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
643 private_key="auth_serv/user.pkcs12",
644 private_key_passwd="whatever")
645 dev[0].request("REMOVE_NETWORK all")
646 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
647 identity="tls user",
648 ca_cert="auth_serv/ca.pem",
649 private_key="auth_serv/user.pkcs12",
650 wait_connect=False, scan_freq="2412")
651 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
652 if ev is None:
653 raise Exception("Request for private key passphrase timed out")
654 id = ev.split(':')[0].split('-')[-1]
655 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
656 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
657 if ev is None:
658 raise Exception("Connection timed out")
659
660 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
661 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
662 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
663 hostapd.add_ap(apdev[0]['ifname'], params)
664 cert = read_pem("auth_serv/ca.pem")
665 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
666 raise Exception("Could not set cacert blob")
667 with open("auth_serv/user.pkcs12", "rb") as f:
668 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
669 raise Exception("Could not set pkcs12 blob")
670 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
671 private_key="blob://pkcs12",
672 private_key_passwd="whatever")
673
674 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
675 """WPA2-Enterprise negative test - incorrect trust root"""
676 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
677 hostapd.add_ap(apdev[0]['ifname'], params)
678 cert = read_pem("auth_serv/ca-incorrect.pem")
679 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
680 raise Exception("Could not set cacert blob")
681 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
682 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
683 password="password", phase2="auth=MSCHAPV2",
684 ca_cert="blob://cacert",
685 wait_connect=False, scan_freq="2412")
686 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
687 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
688 password="password", phase2="auth=MSCHAPV2",
689 ca_cert="auth_serv/ca-incorrect.pem",
690 wait_connect=False, scan_freq="2412")
691
692 for dev in (dev[0], dev[1]):
693 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
694 if ev is None:
695 raise Exception("Association and EAP start timed out")
696
697 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
698 if ev is None:
699 raise Exception("EAP method selection timed out")
700 if "TTLS" not in ev:
701 raise Exception("Unexpected EAP method")
702
703 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
704 "CTRL-EVENT-EAP-SUCCESS",
705 "CTRL-EVENT-EAP-FAILURE",
706 "CTRL-EVENT-CONNECTED",
707 "CTRL-EVENT-DISCONNECTED"], timeout=10)
708 if ev is None:
709 raise Exception("EAP result timed out")
710 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
711 raise Exception("TLS certificate error not reported")
712
713 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
714 "CTRL-EVENT-EAP-FAILURE",
715 "CTRL-EVENT-CONNECTED",
716 "CTRL-EVENT-DISCONNECTED"], timeout=10)
717 if ev is None:
718 raise Exception("EAP result(2) timed out")
719 if "CTRL-EVENT-EAP-FAILURE" not in ev:
720 raise Exception("EAP failure not reported")
721
722 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
723 "CTRL-EVENT-DISCONNECTED"], timeout=10)
724 if ev is None:
725 raise Exception("EAP result(3) timed out")
726 if "CTRL-EVENT-DISCONNECTED" not in ev:
727 raise Exception("Disconnection not reported")
728
729 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
730 if ev is None:
731 raise Exception("Network block disabling not reported")
732
733 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
734 """WPA2-Enterprise negative test - domain suffix mismatch"""
735 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
736 hostapd.add_ap(apdev[0]['ifname'], params)
737 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
738 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
739 password="password", phase2="auth=MSCHAPV2",
740 ca_cert="auth_serv/ca.pem",
741 domain_suffix_match="incorrect.example.com",
742 wait_connect=False, scan_freq="2412")
743
744 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
745 if ev is None:
746 raise Exception("Association and EAP start timed out")
747
748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
749 if ev is None:
750 raise Exception("EAP method selection timed out")
751 if "TTLS" not in ev:
752 raise Exception("Unexpected EAP method")
753
754 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
755 "CTRL-EVENT-EAP-SUCCESS",
756 "CTRL-EVENT-EAP-FAILURE",
757 "CTRL-EVENT-CONNECTED",
758 "CTRL-EVENT-DISCONNECTED"], timeout=10)
759 if ev is None:
760 raise Exception("EAP result timed out")
761 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
762 raise Exception("TLS certificate error not reported")
763 if "Domain suffix mismatch" not in ev:
764 raise Exception("Domain suffix mismatch not reported")
765
766 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
767 "CTRL-EVENT-EAP-FAILURE",
768 "CTRL-EVENT-CONNECTED",
769 "CTRL-EVENT-DISCONNECTED"], timeout=10)
770 if ev is None:
771 raise Exception("EAP result(2) timed out")
772 if "CTRL-EVENT-EAP-FAILURE" not in ev:
773 raise Exception("EAP failure not reported")
774
775 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
776 "CTRL-EVENT-DISCONNECTED"], timeout=10)
777 if ev is None:
778 raise Exception("EAP result(3) timed out")
779 if "CTRL-EVENT-DISCONNECTED" not in ev:
780 raise Exception("Disconnection not reported")
781
782 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
783 if ev is None:
784 raise Exception("Network block disabling not reported")
785
786 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
787 """WPA2-Enterprise negative test - subject mismatch"""
788 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
789 hostapd.add_ap(apdev[0]['ifname'], params)
790 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
791 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
792 password="password", phase2="auth=MSCHAPV2",
793 ca_cert="auth_serv/ca.pem",
794 subject_match="/C=FI/O=w1.fi/CN=example.com",
795 wait_connect=False, scan_freq="2412")
796
797 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
798 if ev is None:
799 raise Exception("Association and EAP start timed out")
800
801 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
802 if ev is None:
803 raise Exception("EAP method selection timed out")
804 if "TTLS" not in ev:
805 raise Exception("Unexpected EAP method")
806
807 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
808 "CTRL-EVENT-EAP-SUCCESS",
809 "CTRL-EVENT-EAP-FAILURE",
810 "CTRL-EVENT-CONNECTED",
811 "CTRL-EVENT-DISCONNECTED"], timeout=10)
812 if ev is None:
813 raise Exception("EAP result timed out")
814 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
815 raise Exception("TLS certificate error not reported")
816 if "Subject mismatch" not in ev:
817 raise Exception("Subject mismatch not reported")
818
819 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
820 "CTRL-EVENT-EAP-FAILURE",
821 "CTRL-EVENT-CONNECTED",
822 "CTRL-EVENT-DISCONNECTED"], timeout=10)
823 if ev is None:
824 raise Exception("EAP result(2) timed out")
825 if "CTRL-EVENT-EAP-FAILURE" not in ev:
826 raise Exception("EAP failure not reported")
827
828 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
829 "CTRL-EVENT-DISCONNECTED"], timeout=10)
830 if ev is None:
831 raise Exception("EAP result(3) timed out")
832 if "CTRL-EVENT-DISCONNECTED" not in ev:
833 raise Exception("Disconnection not reported")
834
835 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
836 if ev is None:
837 raise Exception("Network block disabling not reported")
838
839 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
840 """WPA2-Enterprise negative test - altsubject mismatch"""
841 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
842 hostapd.add_ap(apdev[0]['ifname'], params)
843 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
844 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
845 password="password", phase2="auth=MSCHAPV2",
846 ca_cert="auth_serv/ca.pem",
847 altsubject_match="incorrect.example.com",
848 wait_connect=False, scan_freq="2412")
849
850 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
851 if ev is None:
852 raise Exception("Association and EAP start timed out")
853
854 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
855 if ev is None:
856 raise Exception("EAP method selection timed out")
857 if "TTLS" not in ev:
858 raise Exception("Unexpected EAP method")
859
860 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
861 "CTRL-EVENT-EAP-SUCCESS",
862 "CTRL-EVENT-EAP-FAILURE",
863 "CTRL-EVENT-CONNECTED",
864 "CTRL-EVENT-DISCONNECTED"], timeout=10)
865 if ev is None:
866 raise Exception("EAP result timed out")
867 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
868 raise Exception("TLS certificate error not reported")
869 if "AltSubject mismatch" not in ev:
870 raise Exception("altsubject mismatch not reported")
871
872 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
873 "CTRL-EVENT-EAP-FAILURE",
874 "CTRL-EVENT-CONNECTED",
875 "CTRL-EVENT-DISCONNECTED"], timeout=10)
876 if ev is None:
877 raise Exception("EAP result(2) timed out")
878 if "CTRL-EVENT-EAP-FAILURE" not in ev:
879 raise Exception("EAP failure not reported")
880
881 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
882 "CTRL-EVENT-DISCONNECTED"], timeout=10)
883 if ev is None:
884 raise Exception("EAP result(3) timed out")
885 if "CTRL-EVENT-DISCONNECTED" not in ev:
886 raise Exception("Disconnection not reported")
887
888 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
889 if ev is None:
890 raise Exception("Network block disabling not reported")
891
892 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
893 """WPA2-Enterprise connection using UNAUTH-TLS"""
894 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
895 hostapd.add_ap(apdev[0]['ifname'], params)
896 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
897 ca_cert="auth_serv/ca.pem")
898 eap_reauth(dev[0], "UNAUTH-TLS")
899
900 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
901 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
902 srv_cert_hash = "0a3f81f63569226657a069855bb13f3b922670437a2b87585a4734f70ac7315b"
903 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
904 hostapd.add_ap(apdev[0]['ifname'], params)
905 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
906 identity="probe", ca_cert="probe://",
907 wait_connect=False, scan_freq="2412")
908 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
909 if ev is None:
910 raise Exception("Association and EAP start timed out")
911 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
912 if ev is None:
913 raise Exception("No peer server certificate event seen")
914 if "hash=" + srv_cert_hash not in ev:
915 raise Exception("Expected server certificate hash not reported")
916 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
917 if ev is None:
918 raise Exception("EAP result timed out")
919 if "Server certificate chain probe" not in ev:
920 raise Exception("Server certificate probe not reported")
921 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
922 if ev is None:
923 raise Exception("Disconnection event not seen")
924 dev[0].request("REMOVE_NETWORK all")
925
926 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
927 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
928 password="password", phase2="auth=MSCHAPV2",
929 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
930 wait_connect=False, scan_freq="2412")
931 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
932 if ev is None:
933 raise Exception("Association and EAP start timed out")
934 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
935 if ev is None:
936 raise Exception("EAP result timed out")
937 if "Server certificate mismatch" not in ev:
938 raise Exception("Server certificate mismatch not reported")
939 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
940 if ev is None:
941 raise Exception("Disconnection event not seen")
942 dev[0].request("REMOVE_NETWORK all")
943
944 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
945 anonymous_identity="ttls", password="password",
946 ca_cert="hash://server/sha256/" + srv_cert_hash,
947 phase2="auth=MSCHAPV2")
948
949 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
950 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
951 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
952 hostapd.add_ap(apdev[0]['ifname'], params)
953 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
954 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
955 password="password", phase2="auth=MSCHAPV2",
956 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
957 wait_connect=False, scan_freq="2412")
958 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
959 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
960 password="password", phase2="auth=MSCHAPV2",
961 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
962 wait_connect=False, scan_freq="2412")
963 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
964 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
965 password="password", phase2="auth=MSCHAPV2",
966 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
967 wait_connect=False, scan_freq="2412")
968 for i in range(0, 3):
969 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
970 if ev is None:
971 raise Exception("Association and EAP start timed out")
972 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
973 if ev is None:
974 raise Exception("Did not report EAP method initialization failure")
975
976 def test_ap_wpa2_eap_pwd(dev, apdev):
977 """WPA2-Enterprise connection using EAP-pwd"""
978 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
979 hostapd.add_ap(apdev[0]['ifname'], params)
980 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
981 eap_reauth(dev[0], "PWD")
982 dev[0].request("REMOVE_NETWORK all")
983
984 eap_connect(dev[1], apdev[0], "PWD",
985 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
986 password="secret password",
987 fragment_size="90")
988
989 logger.info("Negative test with incorrect password")
990 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
991 expect_failure=True, local_error_report=True)
992
993 eap_connect(dev[0], apdev[0], "PWD",
994 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
995 password="secret password",
996 fragment_size="31")
997
998 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
999 """WPA2-Enterprise connection using various EAP-pwd groups"""
1000 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1001 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1002 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1003 for i in [ 19, 20, 21, 25, 26 ]:
1004 params['pwd_group'] = str(i)
1005 hostapd.add_ap(apdev[0]['ifname'], params)
1006 dev[0].request("REMOVE_NETWORK all")
1007 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1008
1009 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1010 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1011 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1012 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1013 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1014 params['pwd_group'] = "0"
1015 hostapd.add_ap(apdev[0]['ifname'], params)
1016 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1017 identity="pwd user", password="secret password",
1018 scan_freq="2412", wait_connect=False)
1019 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1020 if ev is None:
1021 raise Exception("Timeout on EAP failure report")
1022
1023 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1024 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1025 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1026 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1027 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1028 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1029 "pwd_group": "19", "fragment_size": "40" }
1030 hostapd.add_ap(apdev[0]['ifname'], params)
1031 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1032
1033 def test_ap_wpa2_eap_gpsk(dev, apdev):
1034 """WPA2-Enterprise connection using EAP-GPSK"""
1035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1036 hostapd.add_ap(apdev[0]['ifname'], params)
1037 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1038 password="abcdefghijklmnop0123456789abcdef")
1039 eap_reauth(dev[0], "GPSK")
1040
1041 logger.info("Test forced algorithm selection")
1042 for phase1 in [ "cipher=1", "cipher=2" ]:
1043 dev[0].set_network_quoted(id, "phase1", phase1)
1044 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1045 if ev is None:
1046 raise Exception("EAP success timed out")
1047 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1048 if ev is None:
1049 raise Exception("Association with the AP timed out")
1050
1051 logger.info("Test failed algorithm negotiation")
1052 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1054 if ev is None:
1055 raise Exception("EAP failure timed out")
1056
1057 logger.info("Negative test with incorrect password")
1058 dev[0].request("REMOVE_NETWORK all")
1059 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1060 password="ffcdefghijklmnop0123456789abcdef",
1061 expect_failure=True)
1062
1063 def test_ap_wpa2_eap_sake(dev, apdev):
1064 """WPA2-Enterprise connection using EAP-SAKE"""
1065 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1066 hostapd.add_ap(apdev[0]['ifname'], params)
1067 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1068 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1069 eap_reauth(dev[0], "SAKE")
1070
1071 logger.info("Negative test with incorrect password")
1072 dev[0].request("REMOVE_NETWORK all")
1073 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1074 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1075 expect_failure=True)
1076
1077 def test_ap_wpa2_eap_eke(dev, apdev):
1078 """WPA2-Enterprise connection using EAP-EKE"""
1079 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1080 hostapd.add_ap(apdev[0]['ifname'], params)
1081 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1082 eap_reauth(dev[0], "EKE")
1083
1084 logger.info("Test forced algorithm selection")
1085 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1086 "dhgroup=4 encr=1 prf=2 mac=2",
1087 "dhgroup=3 encr=1 prf=2 mac=2",
1088 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1089 dev[0].set_network_quoted(id, "phase1", phase1)
1090 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1091 if ev is None:
1092 raise Exception("EAP success timed out")
1093 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1094 if ev is None:
1095 raise Exception("Association with the AP timed out")
1096
1097 logger.info("Test failed algorithm negotiation")
1098 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1099 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1100 if ev is None:
1101 raise Exception("EAP failure timed out")
1102
1103 logger.info("Negative test with incorrect password")
1104 dev[0].request("REMOVE_NETWORK all")
1105 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1106 expect_failure=True)
1107
1108 def test_ap_wpa2_eap_ikev2(dev, apdev):
1109 """WPA2-Enterprise connection using EAP-IKEv2"""
1110 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1111 hostapd.add_ap(apdev[0]['ifname'], params)
1112 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1113 password="ike password")
1114 eap_reauth(dev[0], "IKEV2")
1115 dev[0].request("REMOVE_NETWORK all")
1116 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1117 password="ike password", fragment_size="50")
1118
1119 logger.info("Negative test with incorrect password")
1120 dev[0].request("REMOVE_NETWORK all")
1121 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1122 password="ike-password", expect_failure=True)
1123
1124 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1125 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1126 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1127 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1128 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1129 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1130 "fragment_size": "50" }
1131 hostapd.add_ap(apdev[0]['ifname'], params)
1132 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1133 password="ike password")
1134 eap_reauth(dev[0], "IKEV2")
1135
1136 def test_ap_wpa2_eap_pax(dev, apdev):
1137 """WPA2-Enterprise connection using EAP-PAX"""
1138 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1139 hostapd.add_ap(apdev[0]['ifname'], params)
1140 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1141 password_hex="0123456789abcdef0123456789abcdef")
1142 eap_reauth(dev[0], "PAX")
1143
1144 logger.info("Negative test with incorrect password")
1145 dev[0].request("REMOVE_NETWORK all")
1146 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1147 password_hex="ff23456789abcdef0123456789abcdef",
1148 expect_failure=True)
1149
1150 def test_ap_wpa2_eap_psk(dev, apdev):
1151 """WPA2-Enterprise connection using EAP-PSK"""
1152 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1153 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1154 params["ieee80211w"] = "2"
1155 hostapd.add_ap(apdev[0]['ifname'], params)
1156 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1157 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1158 eap_reauth(dev[0], "PSK", sha256=True)
1159 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1160 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1161
1162 logger.info("Negative test with incorrect password")
1163 dev[0].request("REMOVE_NETWORK all")
1164 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1165 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1166 expect_failure=True)
1167
1168 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1169 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1170 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1171 hostapd.add_ap(apdev[0]['ifname'], params)
1172 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1173 identity="user", password="password", phase2="auth=MSCHAPV2",
1174 ca_cert="auth_serv/ca.pem", wait_connect=False,
1175 scan_freq="2412")
1176 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1177 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1178 eap_reauth(dev[0], "PEAP", rsn=False)
1179 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1180 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1181
1182 def test_ap_wpa2_eap_interactive(dev, apdev):
1183 """WPA2-Enterprise connection using interactive identity/password entry"""
1184 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1185 hostapd.add_ap(apdev[0]['ifname'], params)
1186 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1187
1188 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1189 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1190 None, "password"),
1191 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1192 "TTLS", "ttls", None, "auth=MSCHAPV2",
1193 "DOMAIN\mschapv2 user", "password"),
1194 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1195 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1196 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1197 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1198 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1199 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1200 ("Connection with dynamic PEAP/EAP-GTC password entry",
1201 "PEAP", None, "user", "auth=GTC", None, "password") ]
1202 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
1203 logger.info(desc)
1204 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
1205 anonymous_identity=anon, identity=identity,
1206 ca_cert="auth_serv/ca.pem", phase2=phase2,
1207 wait_connect=False, scan_freq="2412")
1208 if req_id:
1209 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
1210 if ev is None:
1211 raise Exception("Request for identity timed out")
1212 id = ev.split(':')[0].split('-')[-1]
1213 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
1214 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1215 if ev is None:
1216 raise Exception("Request for password timed out")
1217 id = ev.split(':')[0].split('-')[-1]
1218 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
1219 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
1220 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1221 if ev is None:
1222 raise Exception("Connection timed out")
1223 dev[0].request("REMOVE_NETWORK all")
1224
1225 def test_ap_wpa2_eap_vendor_test(dev, apdev):
1226 """WPA2-Enterprise connection using EAP vendor test"""
1227 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1228 hostapd.add_ap(apdev[0]['ifname'], params)
1229 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
1230 eap_reauth(dev[0], "VENDOR-TEST")
1231
1232 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
1233 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1234 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1235 hostapd.add_ap(apdev[0]['ifname'], params)
1236 eap_connect(dev[0], apdev[0], "FAST", "user",
1237 anonymous_identity="FAST", password="password",
1238 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1239 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
1240 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1241 eap_reauth(dev[0], "FAST")
1242
1243 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
1244 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1246 hostapd.add_ap(apdev[0]['ifname'], params)
1247 eap_connect(dev[0], apdev[0], "FAST", "user",
1248 anonymous_identity="FAST", password="password",
1249 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1250 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1251 pac_file="blob://fast_pac_bin")
1252 eap_reauth(dev[0], "FAST")
1253
1254 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
1255 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1256 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1257 hostapd.add_ap(apdev[0]['ifname'], params)
1258
1259 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1260 identity="user", anonymous_identity="FAST",
1261 password="password",
1262 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1263 pac_file="blob://fast_pac_not_in_use",
1264 wait_connect=False, scan_freq="2412")
1265 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1266 if ev is None:
1267 raise Exception("Timeout on EAP failure report")
1268 dev[0].request("REMOVE_NETWORK all")
1269
1270 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1271 identity="user", anonymous_identity="FAST",
1272 password="password",
1273 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1274 wait_connect=False, scan_freq="2412")
1275 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1276 if ev is None:
1277 raise Exception("Timeout on EAP failure report")
1278
1279 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
1280 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1281 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1282 hostapd.add_ap(apdev[0]['ifname'], params)
1283 eap_connect(dev[0], apdev[0], "FAST", "user",
1284 anonymous_identity="FAST", password="password",
1285 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
1286 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
1287 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1288 eap_reauth(dev[0], "FAST")
1289
1290 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
1291 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1292 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1293 hostapd.add_ap(apdev[0]['ifname'], params)
1294 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1295 private_key="auth_serv/user.pkcs12",
1296 private_key_passwd="whatever", ocsp=2)
1297
1298 def int_eap_server_params():
1299 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1300 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1301 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1302 "ca_cert": "auth_serv/ca.pem",
1303 "server_cert": "auth_serv/server.pem",
1304 "private_key": "auth_serv/server.key" }
1305 return params
1306
1307 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
1308 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1309 params = int_eap_server_params()
1310 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
1311 hostapd.add_ap(apdev[0]['ifname'], params)
1312 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1313 identity="tls user", ca_cert="auth_serv/ca.pem",
1314 private_key="auth_serv/user.pkcs12",
1315 private_key_passwd="whatever", ocsp=2,
1316 wait_connect=False, scan_freq="2412")
1317 count = 0
1318 while True:
1319 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
1320 if ev is None:
1321 raise Exception("Timeout on EAP status")
1322 if 'bad certificate status response' in ev:
1323 break
1324 count = count + 1
1325 if count > 10:
1326 raise Exception("Unexpected number of EAP status messages")
1327
1328 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1329 if ev is None:
1330 raise Exception("Timeout on EAP failure report")
1331
1332 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
1333 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
1334 params = int_eap_server_params()
1335 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1336 params["private_key"] = "auth_serv/server-no-dnsname.key"
1337 hostapd.add_ap(apdev[0]['ifname'], params)
1338 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1339 identity="tls user", ca_cert="auth_serv/ca.pem",
1340 private_key="auth_serv/user.pkcs12",
1341 private_key_passwd="whatever",
1342 domain_suffix_match="server3.w1.fi",
1343 scan_freq="2412")
1344 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1345 identity="tls user", ca_cert="auth_serv/ca.pem",
1346 private_key="auth_serv/user.pkcs12",
1347 private_key_passwd="whatever",
1348 domain_suffix_match="w1.fi",
1349 scan_freq="2412")
1350
1351 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
1352 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
1353 params = int_eap_server_params()
1354 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1355 params["private_key"] = "auth_serv/server-no-dnsname.key"
1356 hostapd.add_ap(apdev[0]['ifname'], params)
1357 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1358 identity="tls user", ca_cert="auth_serv/ca.pem",
1359 private_key="auth_serv/user.pkcs12",
1360 private_key_passwd="whatever",
1361 domain_suffix_match="example.com",
1362 wait_connect=False,
1363 scan_freq="2412")
1364 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1365 identity="tls user", ca_cert="auth_serv/ca.pem",
1366 private_key="auth_serv/user.pkcs12",
1367 private_key_passwd="whatever",
1368 domain_suffix_match="erver3.w1.fi",
1369 wait_connect=False,
1370 scan_freq="2412")
1371 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1372 if ev is None:
1373 raise Exception("Timeout on EAP failure report")
1374 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1375 if ev is None:
1376 raise Exception("Timeout on EAP failure report (2)")
1377
1378 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
1379 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
1380 params = int_eap_server_params()
1381 params["server_cert"] = "auth_serv/server-expired.pem"
1382 params["private_key"] = "auth_serv/server-expired.key"
1383 hostapd.add_ap(apdev[0]['ifname'], params)
1384 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1385 identity="mschap user", password="password",
1386 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1387 wait_connect=False,
1388 scan_freq="2412")
1389 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
1390 if ev is None:
1391 raise Exception("Timeout on EAP certificate error report")
1392 if "reason=4" not in ev or "certificate has expired" not in ev:
1393 raise Exception("Unexpected failure reason: " + ev)
1394 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1395 if ev is None:
1396 raise Exception("Timeout on EAP failure report")
1397
1398 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
1399 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
1400 params = int_eap_server_params()
1401 params["server_cert"] = "auth_serv/server-expired.pem"
1402 params["private_key"] = "auth_serv/server-expired.key"
1403 hostapd.add_ap(apdev[0]['ifname'], params)
1404 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1405 identity="mschap user", password="password",
1406 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1407 phase1="tls_disable_time_checks=1",
1408 scan_freq="2412")
1409
1410 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
1411 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
1412 params = int_eap_server_params()
1413 params["server_cert"] = "auth_serv/server-eku-client.pem"
1414 params["private_key"] = "auth_serv/server-eku-client.key"
1415 hostapd.add_ap(apdev[0]['ifname'], params)
1416 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1417 identity="mschap user", password="password",
1418 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1419 wait_connect=False,
1420 scan_freq="2412")
1421 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1422 if ev is None:
1423 raise Exception("Timeout on EAP failure report")
1424
1425 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
1426 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
1427 params = int_eap_server_params()
1428 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
1429 params["private_key"] = "auth_serv/server-eku-client-server.key"
1430 hostapd.add_ap(apdev[0]['ifname'], params)
1431 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1432 identity="mschap user", password="password",
1433 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1434 scan_freq="2412")
1435
1436 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
1437 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
1438 params = int_eap_server_params()
1439 del params["server_cert"]
1440 params["private_key"] = "auth_serv/server.pkcs12"
1441 hostapd.add_ap(apdev[0]['ifname'], params)
1442 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1443 identity="mschap user", password="password",
1444 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1445 scan_freq="2412")
1446
1447 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
1448 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
1449 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1450 hostapd.add_ap(apdev[0]['ifname'], params)
1451 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1452 anonymous_identity="ttls", password="password",
1453 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1454 dh_file="auth_serv/dh.conf")
1455
1456 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
1457 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
1458 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1459 hostapd.add_ap(apdev[0]['ifname'], params)
1460 dh = read_pem("auth_serv/dh.conf")
1461 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
1462 raise Exception("Could not set dhparams blob")
1463 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1464 anonymous_identity="ttls", password="password",
1465 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1466 dh_file="blob://dhparams")
1467
1468 def test_ap_wpa2_eap_reauth(dev, apdev):
1469 """WPA2-Enterprise and Authenticator forcing reauthentication"""
1470 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1471 params['eap_reauth_period'] = '2'
1472 hostapd.add_ap(apdev[0]['ifname'], params)
1473 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1474 password_hex="0123456789abcdef0123456789abcdef")
1475 logger.info("Wait for reauthentication")
1476 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1477 if ev is None:
1478 raise Exception("Timeout on reauthentication")
1479 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1480 if ev is None:
1481 raise Exception("Timeout on reauthentication")
1482 for i in range(0, 20):
1483 state = dev[0].get_status_field("wpa_state")
1484 if state == "COMPLETED":
1485 break
1486 time.sleep(0.1)
1487 if state != "COMPLETED":
1488 raise Exception("Reauthentication did not complete")
1489
1490 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
1491 """Optional displayable message in EAP Request-Identity"""
1492 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1493 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
1494 hostapd.add_ap(apdev[0]['ifname'], params)
1495 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1496 password_hex="0123456789abcdef0123456789abcdef")
1497
1498 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
1499 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
1500 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
1501 logger.info("No hlr_auc_gw available");
1502 return "skip"
1503 params = int_eap_server_params()
1504 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
1505 params['eap_sim_aka_result_ind'] = "1"
1506 hostapd.add_ap(apdev[0]['ifname'], params)
1507
1508 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
1509 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1510 phase1="result_ind=1")
1511 eap_reauth(dev[0], "SIM")
1512 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
1513 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
1514
1515 dev[0].request("REMOVE_NETWORK all")
1516 dev[1].request("REMOVE_NETWORK all")
1517
1518 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
1519 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1520 phase1="result_ind=1")
1521 eap_reauth(dev[0], "AKA")
1522 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
1523 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1524
1525 dev[0].request("REMOVE_NETWORK all")
1526 dev[1].request("REMOVE_NETWORK all")
1527
1528 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
1529 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1530 phase1="result_ind=1")
1531 eap_reauth(dev[0], "AKA'")
1532 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
1533 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1534
1535 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
1536 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
1537 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1538 hostapd.add_ap(apdev[0]['ifname'], params)
1539 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1540 eap="TTLS", identity="mschap user",
1541 wait_connect=False, scan_freq="2412", ieee80211w="1",
1542 anonymous_identity="ttls", password="password",
1543 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1544 fragment_size="10")
1545 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
1546 if ev is None:
1547 raise Exception("EAP roundtrip limit not reached")
1548
1549 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
1550 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
1551 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1552 hostapd.add_ap(apdev[0]['ifname'], params)
1553 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
1554 eap="PSK", identity="vendor-test",
1555 password_hex="ff23456789abcdef0123456789abcdef",
1556 wait_connect=False)
1557
1558 found = False
1559 for i in range(0, 5):
1560 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
1561 if ev is None:
1562 raise Exception("Association and EAP start timed out")
1563 if "refuse proposed method" in ev:
1564 found = True
1565 break
1566 if not found:
1567 raise Exception("Unexpected EAP status: " + ev)
1568
1569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1570 if ev is None:
1571 raise Exception("EAP failure timed out")
Unnamed repository; edit this file 'description' to name the repository.